Updating the Privacy Act of 1974

June 05, 2009

The Privacy Act of 1974 passed as the result of a government-wide push toward the development of policies and practices to protect the information of citizens and other individuals. While the underlying framework of the law, rooted in the principles of Fair Information Practices (FIPs), is still sound, the thirty-five year-old wording of the Act renders it ill-equipped to meet many of the privacy challenges posed by modern information technology.

1) Updating the Privacy Act of 1974

The Privacy Act of 1974 passed as the result of a government-wide push toward the development of policies and practices to protect the information of citizens and other individuals. While the underlying framework of the law, rooted in the principles of Fair Information Practices (FIPs), is still sound, the thirty-five year-old wording of the Act renders it ill-equipped to meet many of the privacy challenges posed by modern information technology.

Building on the recent work of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board and the Government Accountability Office, CDT brought together a working group of public interest organizations, government representatives, and members of the private sector to draft the E-Privacy Act Amendments of 2009. We are opening this policy-drafting process to the public, and have created a wiki to allow the public to edit the draft before it is submitted to Congress. The E-Privacy Act Wiki allows anyone to read any part of the bill, change the language, provide feedback, or simply open a discussion on any provision of the bill.

CDT hopes that FIPs can continue to serve as the basis of data collection in the federal government through these proposed amendments and welcomes public comment to the wiki through June 28.

In the sections below, CDT explores the underlying FIPs framework and outlines three critical amendments: the creation of federal privacy leadership, updated definitions to match changing data practices, and the strengthening of privacy notices.

NISTISPAB Report, Toward A 21st Century Framework for Federal Government Privacy Policy

2) Fair Information Practices are Central

FIPs represent is a simple approach to making information use transparent and empowering citizens. The general principles of FIPs state that:

There must be no personal data record-keeping systems whose very existence is secret;

There must be a way for an individual to find out what information is in his or her file and how the information is being used;

There must be a way for an individual to correct information in his or her records;

Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and

There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent.

Despite the excellent basis and framework for the law, loopholes were identified as soon as 1977, when the Privacy Protection Study Commission found that advances in technology threatened to outpace the Privacy Act. Recent advances in information technology render the limitations of the Privacy Act even more significant.

3) The Creation of Federal Privacy Leadership

The first goal of CDT’s amendments is to create positions in the government with the responsibility to ensure responsible privacy practices. Despite the strong privacy policies enacted by a number of agencies, many privacy failures have occurred because there is no one person responsible for privacy within these agencies or the federal government as a whole. While most corporations have Chief Privacy Officers, the government does not, and there is no consistent model or guidance for agencies to follow. The lack of guidance from the Office of Management and Budget around the Privacy Act has compounded the challenges of privacy as information technology evolves.

CDT’s E-Privacy Act amendments establish a Chief Privacy Office within OMB, who will oversee agency privacy practices and government privacy practices as a whole. In addition, the amendments create CPO positions in all Executive branch Departments and major agencies, to be overseen by the OMB CPO as a CPO Council – an interagency forum to establish best practices for and experiences with agency privacy policy.

4) Updating Definitions to Match Changing Data Practices

Technology has evolved far beyond the letter of the Privacy Act in the thirty-five years since its passage; even the E-Government Act of 2002 failed to close this gap. The Privacy Act was designed to accommodate agency-held flat files, but computing has moved towards forms of networked centralization and relational databases beyond the Privacy Act’s reach. In addition, the Privacy Act’s drafters did not contemplate the industry that has arisen around collecting and sharing information with the government.

The Act is only invoked when the government handles data that the Act defines as â€œa system of records.â€? If a collection of information does not fall under the definition, then the protections of the Act do not apply. A recent GAO report noted that this â€œsystem of recordsâ€? definition is far too narrow to encompass government information use today. For example, only data that is retrieved â€œby the name of the individual or by some identifying number [or other unique identifier]â€? receives protection, leaving data retrieved by other queries – such as health condition, address, or criminal history – uncovered. The Act also does not apply to records held by other entities, like information resellers and public sources of personal information.

CDT’s draft amendments re-define a system of records in order to clarify that all groups of records held by agencies are systems of records. The amendments also update the E-Government Act of 2002 to require privacy impact assessments for government use of information from commercial databases.

5) Strengthening Privacy Notices

The Privacy Act does not currently achieve its purpose of informing the public of how information in a particular system of records will be used. The privacy notices that are published in the Federal Register are not widely accessible, and typically serve only as amendments to older notices. Accordingly, the notices are hard to read and harder to understand. Further, agencies are not required to disclose â€œroutineusesâ€? of data, a loophole whose exceptions have proven so numerous as to be laughable. This problem is not new; even the 1977 Privacy Protection Study Commission Report suggested that agencies were not being forthcoming or clear with their privacy notices.

The E-Government Act of 2002 requires agencies to create Privacy Impact Assessments (PIAs), but these are often not completed, and there is no guidance as to how a PIA should be conducted. As such, while some agencies complete excellent PIAs, many require guidance on them.

To be effective, privacy notices must be relevant, easy-to-read, and consistent. Accordingly, CDT’s proposed amendments include the creation of a centralized website for privacy notices, to be overseen by the OMB Chief Privacy Officer, and improvements to the notices themselves including a clear statement of the purposes for which the data may be used, the entities with whom the data may be shared, and the underlying source of authority for these uses of data. These amendments also update the E-Government Act of 2002 to clarify the circumstances under which a PIA must be conducted.